Re: packets going over wrong link: ROUTE target not doing its job !!!!

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On Thu, August 26, 2004 12:11 pm, dravya said:
>
> Hi all,
>
> I patched my kernel with the ROUTE target in order to force all icmp
packets over one
> interface. The following are the rules I added:
>
> iptables -A POSTROUTING -t mangle -p icmp -j LOG --log-prefix "Mangle
POST: "
> iptables -A POSTROUTING -t mangle -p icmp -j ROUTE --oif ppp0
>
> The following is my routing table:
>
> 206.47.201.1 dev ppp0  proto kernel  scope link  src 69.158.206.247
192.168.1.0/24 dev eth0  scope link
> 169.254.0.0/16 dev eth0  scope link
> 127.0.0.0/8 dev lo  scope link
> default equalize
>       nexthop via 206.47.201.1  dev ppp0 weight 1
>       nexthop via 204.101.237.225  dev ppp1 weight 1
>                                                          |
>                                                          |
>                                                          v
> Aug 26 11:56:29 localhost kernel: Mangle POST: IN= OUT=eth0
> SRC=192.168.1.96
> DST=192.168.1.229 LEN=106 TOS=0x00 PREC=0xC0 TTL=64 ID=55919 PROTO=ICMP
TYPE=3 CODE=3
> [SRC=192.168.1.229 DST=192.168.1.96 LEN=78 TOS=0x00 PREC=0x00 TTL=64
ID=25106 PROTO=UDP
> SPT=64696 DPT=137 LEN=58 ]
>
> According to the rule, shouldn't this be ppp0 ??? Using ethereal, I
captured on ppp0 and
> the following is what I get:

According to the rule, this shouldn't be ppp0 because you are logging
*before* the effective rule has been hit.

>                                  |
>                                  |
>                                  v
> 2004-08-26 10:31:28.721245 192.168.1.96 -> 192.168.1.229 ICMP
Destination unreachable
> 2004-08-26 10:31:28.721245 192.168.1.96 -> 192.168.1.229 ICMP
Destination unreachable
>
> This means that from ppp0 there was a packet that had a src address of
eth0. Hence, I get
> a change of ip address and I lose that connection.
>
> NOTE: I have tried MASQUERADING and it give me the same problem of
packets going over the
> wrong link.
>

As soon as the packet hits the ROUTE target (without --continue), it is
immediately send over the link. This explains why you are not able to
MASQUERADE it.

My suggestion is to add --continue to your ROUTE rule which will let the
packet continues traversal.

Then, patch ipt_MASQUERADE.c with Patrick's one to avoid the annoying
"MASQUERADE: Route sent us somewhere else."

>
> Dravya
>

HTH,

Samuel Jean
CookingLinux.org
[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux